Stolen Ashley Madison data dumped online, seems legitimate

As you might have heard by now, some 10 gigabytes of data allegedly stolen in last month’s Ashley Madison hack have been leaked by the attackers on the Dark Web and on Torrent file-sharing services.

The question is: Is the data legitimate?

Former Ashley Madison CTO Raja Bhatia denied it, saying that the batch includes credit card data.

“We use transaction IDs, just like every other PCI compliant merchant processor. If there is full credit card data in a dump, it’s not from us, because we don’t even have that,” he told Brian Krebs and explained: “When someone completes a payment, what happens is from our payment processor, we get a transaction ID back. That’s the only piece of information linking to a customer or consumer of ours.”

But the data dump has been analyzed by security researchers and enthusiasts, and it seems that, after all, full credit card data is not found in it.

A post on Hydraze & Friends breaks down the dump and shows what data has been included:

• 32 million user data (name, street address, phone number, relationship status, what they are looking for, if they drink, smoke, security question, date of birth, nickname, and so on)
• Some 36 million email addresses
• 30 million usernames and passwords hashed with the bcrypt algorithm
• Member details (physical description)
• An archive of credit card transactions from the past 7 years
• Internal Ashley Madison documents.

“The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more,” commented TrustedSec researcher Dave Kennedy. “This is much more problematic as its not just a database dump, this is a full scale compromise of the entire companies infrastructure including Windows domain and more.”

“Regardless of ethics, this is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison’s organization undetected for a long period of time. Ashley Madison has not commented on the original source of the breach, how it occurred, or how they were compromised,” he added.

Errata Security’s Robert Graham says that some of his Twitter followers who are Ashley Madison members confirmed that they found their data in the dump. Brian Krebs says some of his sources said that, as well.

A breakdown of the leaked email addresses shows that there have been many users from the US government and armed forces.

Still, as Graham Cluley points out, the fact that someone’s email is found in the dump is not evidence that they have cheated on their partner, especially because Ashley Madison never bothered to verify the email addresses given to it by users.

In a statement yesterday, Avid Life Media, the owner of Ashley Madison, said they are still investigating the breach and are cooperating with law enforcement investigations, but didn’t confirm the legitimacy of the dumped data.

The statement includes a relatively transparent attempt to redirect their customers’ ire at the hackers (not that I blame them – they want to keep the business going) and a call to people out there who know one or more of the individuals who performed the hack to come forward with the information.